Unable to create CAA record

[davidolrik]

I have tried a lot of permutations of this command:

cfcli -d example.com add -t CAA example.com. 0 issue "letsencrypt.org"

But I always get Error: Response code 400 (Bad Request)

[danielpigott]

Based on the cloudflare API docs (https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record) the add command doesn't support creating CAA records with the add record api endpoint. There may be another api endpoint that supports it, but I'd have to look into it.

[ghost]

For what it is worth, it seems to be possible to create CAA records through the API with a bit of finessing, using a request like the one below. As far as I can tell, the records appear normally on the Dashboard and behave properly.

curl -H "Content-Type: application/json" -H "X-Auth-Key:my_auth_key" -H "X-Auth-Email:email@example.com" -X 'POST' --data '{"type":"CAA","name":"example.com","data":{"flags": 0,"tag": "issue","value": "letsencrypt.org"},"ttl":1,"proxied":false}' https://api.Cloudflare.com/client/v4/zones/my_zone_identifier/dns_records

Note, however, that Cloudflare publishes dire warnings about CAA records, insisting that they could block the generation of certificates for Universal SSL and cause the entire thing to implode.

I have received very conflicting and confusing replies from Support as to the actual behaviour of the platform. I was told that Cloudflare will automatically add the necessary CAA records to domains that publish CAA records of their own to begin with, but not to domains that don’t. That does not square with the docs, neither does it square with my personal experience, but they were adamant.